Windows
Analysis Report
mzQcZawXvh.exe
Overview
General Information
Detection
BitRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Yara detected BitRAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
Injects a PE file into a foreign processes
Contains functionality to hide a thread from the debugger
C2 URLs / IPs found in malware configuration
Possible FUD Crypter (malicious underground PE packer) detected
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
mzQcZawXvh.exe (PID: 5872 cmdline:
"C:\Users\ user\Deskt op\mzQcZaw Xvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83) mzQcZawXvh.exe (PID: 5012 cmdline:
"C:\Users\ user\Deskt op\mzQcZaw Xvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83)
- cleanup
{"Host": "toopdyno2.duckdns.org", "Port": "55140", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "3cd2623273605167e72c665ad9347c60", "Tor Process Name": "tor"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
MALWARE_Win_BitRAT | Detects BitRAT RAT | ditekSHen |
| |
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
MALWARE_Win_BitRAT | Detects BitRAT RAT | ditekSHen |
| |
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
Click to see the 13 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
Click to see the 36 entries |
There are no malicious signatures, click here to show all signatures.
Source: | Author: frack113: |